On Nov 15, 2008, at 2:13 PM, Micah Stetson wrote:
I'm unclear as to what "amount of state" iptables needs to keep
After you do something like:
# iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE
the Linux kernel module called nf_conntrack starts allocating
data structures to do its job. I'll leave it up to you to see how
much
memory gets wasted on each connection. Here's a hint,
though: /proc/net/nf_conntrack
I don't think Plan 9 is keeping any less state, is it?
Not really, no. My point was that the amount of state in a typical
Linux-based NAT box was quite comparable and thus couldn't
be used to bash Plan9's approach as being visibly less efficient
as far as TCP overhead goes.
Plan 9 does need one extra connection per client and a process (or
two?) to do the export.
Yes it does need one extra connection for /net to be imported. Depending
on the setup that extra connection could be reduced to one per host
importing the /net. I specifically didn't address the point of extra
processes running on the GW simply because I agree -- there's a price
there that Linux doesn't pay (although as I've learned from Bruce
Inferno has reduced the price for running identical processes quite
significantly by implementing silent page sharing).
I think Eris is saying that this makes Plan
9's resource requirements grow with the number of hosts behind the
gateway -- not just with the number of connections through it like
Linux.
I don't quite follow. If by resources you mean process related resources
than I would agree. My very first comment didn't have anything to do
with process related resources. And for the TCP related resources I
maintain that the amount of overhead in Plan9's case is definitely
comparable to a Linux's case.
Thanks,
Roman.
